SQL Injection is 90% SQL, WebSec is 90% WebDev

I believe too many people take the wrong approach to security, or “hacking”. Most who seek this ability clamor for answers to questions like, “How can I hack SQL?” “How can I hack Linux?” “How can I hack web applications?” There’s a really simple answer. Learn SQL. Learn Linux. Learn to build web applications. What people call “hacking” actually reduces perfectly into two simple things:

Deep understanding of a technology

Making it do something it’s not supposed to do

Once you combine a deep understanding of something with curiosity, all sorts of ways of abusing said system are presented to you. This requires talent, skill, and practice — don’t misunderstand — and there are many hardcore developers who understand their technology extremely well but couldn’t hack a vegetable cart. Why? — because they lack curiosity and/or the attacker mindset, so they never get to step 2.

In truth, I’d actually say that developing on, or mastering, a technology is not only the best method to becoming good at security, it’s actually the only method. Anything less is a 0 in a world where 1 is the standard. If you don’t know SQL then you don’t know SQL Injection. If you don’t know operating systems then you can’t break operating systems. And if you can’t build a web application then you aren’t really doing WebAppSec.

You can use blunt tools to take chunks out of these subjects (tutorials, automated scanners, etc.), but to truly be good at breaking something you must know how it works. Anything less is hamfisting.